The State of User Authentication in the Wild

Abstract

User authentication is a field under active research, both from the academic community, startups, and established companies. In this context, passwords are regularly declared "dead", and there is a strong desire to replace passwords as the most widely used authentication method. In this paper we intend to map the current state of user authentication, as typically seen by end users. We evaluated the mechanisms used by 48 different services, including websites, IoT/smart home devices, and mobile devices.

Our main findings are: (i) Passwords are still the most prevalent primary authentication method (the only exceptions using PINs). (ii) Most services support 2FA, either requested in combination with the first factor (immediate 2FA) or when a more sensitive operation is triggered (delayed 2FA). (iii) No service offered a simple way to recover a second factor, without having another second factor set up. Based on the findings, we derive recommendations for a more comprehensive perspective on user authentication.